Since it's just a matter of reverse engineering (some can do very easily, some it will take longer), a simple CPU core controlling/configuring your IP will mostly do the job just fine, like locking firmware (generated) to a serial number in the SPI flash. There are many options of cheap obfuscation you can apply to make it very painful/complex for an R-Engineer to identify the right bits to turn in order to make it work. For example, shuffling opcode bits of a known architecture can create a lot of headache already.